Page MenuHome

Windows executables and installer lack digital signatures by Blender Foundation.
Closed, InvalidPublic

Description

Source: Links downloaded from multiple mirror locations (all of x64, x86, zip) from https://www.blender.org.
Example: blender-2.77a-windows64.msi
Issue: Files are not digitally signed.
Consequence: prevents Blender from being installed or run inside organizations whose IT policies prevent any external digitally unsigned executables from being executed on Windows machine, or executed/run by any other responsible person with a Windows machine.

Details

Type
Bug

Event Timeline

Thomas Dinges (dingto) closed this task as Invalid.
Thomas Dinges (dingto) claimed this task.

We don't sign binaries on Windows. That is not considered a bug.

Well... considering the installers are served over http, without TLS, downloaded binaries could be changed to malicious software by any network node on the path between the mirror and my computer.

Not signing the binaries leaves every user exposed to fairly simple yet devastating attacks.

That's reason enough for me to give up on getting started with Blender.

Thanks. Much better. Still would feel safer with signed binaries, but much better than the download links on the download page.

And md5 fingerprints? Better than nothing for sure, but I thought the official stance on MD5 was: run away from it :)